You are a well-respected CTO of a major hosting provider. You recently invested in and installed the latest network security solutions to your data center and are looking forward to getting a full night’s sleep, knowing you have taken the proper measures to secure your company’s data. Then the phone rings and your security team relays the bad news: you have suffered a DDoS attack. Not only did your website go down, but it went totally unnoticed until several back-end systems were almost completely unresponsive. You ask yourself, “How this could possibly have happened, given the network security landscape our team has implemented?”
Welcome to the elusive, difficult-to-spot and even more difficult to defend application layer denial-of-service (DDoS) attack, sometimes referred to as a “Layer 7” DDoS attack. Because your website and the supporting systems, applications, etc., are exposed to the outside world, they are ripe targets for more sophisticated attacks designed to either exploit uncorrected flaws or the way the various systems work. As application development continues to move to the Cloud, this attack will continue to be difficult to defend against.
How can security teams stay ahead of the onslaught that continues to assault organizations regardless of size or industry type?
The Brawn vs. The Brains
When the news reports on DDoS attacks, it is generally referring to large-scale network attacks that are focused on Layer 3 and 4 of the network stack. However, from a mitigation point of view, network layer attacks are not sophisticated. The ability to mitigate this type of attack always comes down to a simple question: who has more network capacity, the attacker or the mitigation service?
On the other hand, the application/Layer 7 attack is a completely different animal. When defending against these stealthy and complex methods, success does not depend on how big you are, but rather how smart your security technology is and how well it can be utilized.
The Invisible Attack
Successful mitigation of the Layer 7 DDoS attack relies on the ability to accurately profile incoming traffic – to distinguish between humans, human-like bots and hijacked Web browsers and connected devices, such as home routers. As a result, the Layer 7 mitigation process is often much more complex than the attack itself. This complexity, combined with the fact that—if done right—the attack will remain transparent, contributes to the lack of headlines on this subject. The security industry in general prefers to talk in terms of network capacity, which of course says nothing about your resilience against application layer attacks.
While network attacks over-exercise specific functions or features of a website with the intention of disabling them, an application-layer attack is different because many vulnerabilities that exist in the proprietary code of Web applications are unknown to existing security defense solutions.
As mentioned earlier, the Cloud and pervasive cloud-based platforms that are becoming the new normal in application development have increased the attack surface for many organizations. In order to defend against the ever-changing DDoS landscape, developers need to integrate security measures while in the development phase of the application itself.
To assist in defending against Web threats, the Open Web Application Security (News - Alert) Project (OWASP) was created. It releases some of the most critical risks facing organizations in its “Top Ten Most Critical Web Application Security Risks.”
While the report outlines ten of the most prevalent application-layer risks, this information is only released every three years. In the meantime, new and more sophisticated attack methods are being perpetrated at an alarming rate. Until developers ingrain security solutions into their products, it will be up to security teams to be ever vigilant by implementing solutions that are designed to identify anomalous behavior in the network upon ingress.
Another Wrinkle to Consider – DDoS as a Distraction
Web, system and network admins need to be vigilant about Layer-7 DDoS attacks, however, the application layer can be targeted in an even more sinister way. As we have witnessed, hackers are becoming smarter. It was reported earlier this year that attackers are employing methods that are short in duration but are large in traffic volume. Hackers employ these methods for a variety of reasons. Shopping (eCommerce) websites, for example, are particularly prone to this type of attack, in which paying customers are blocked at the last minute, forcing them to abandon their purchase.
This type of attack can also be used to identify the vulnerability of a network’s resources, such as how much memory or bandwidth there is, in order to determine the amount of traffic that will be needed to flood the network. Once determined, the hackers will use a volumetric attack to distract IT personnel while accessing the application layer from the back end. This type of attack typically will have been preceded by the injection of malware or the identification of a security flaw that allows the attacker to gain a measure of control.
The challenge for network personnel is understanding whether or not the traffic is legitimate. In other words, what is a bot and what is a customer? Advanced security tools will be needed to execute this type of protection.
Best Practices to Protect Critical Applications
If you are a software developer or cyber security professional it is vital that the following best practices be followed, at a minimum.
In summary, application layer attacks are here to stay. They will continue to grow in frequency and complexity. It may not be economical to develop new applications from ground up; therefore, secure application development policies need to be complemented by dedicated security appliances for complete “peace of mind” protection.
About the Author:Rishi Agarwal is Chief Evangelist at NSFOCUS, Inc. He has 12+ years’ experience in Product Marketing, Strategy, Business Development and Product Management. He has broad domain expertise in Network Security, Compute and Storage. Prior to NSFocus, he was a Senior Manager at Arbor Networks (News - Alert). Additionally, he has worked at leading technology vendors such as Microsoft, Intel and SanDisk.